Login
4 Nov 2024

Automattic’s WPScan Is Violating the Rules of the CVE Program With Advance Custom Fields “Vulnerability”

As if there were not enough issue with what Automattic has done related to WP Engine’s Advanced Custom Fields, they are also violating the rules of the CVE program. As CVE’s website puts it, “The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” Through their WPScan subsidiary, Automattic are able to issues CVE ID as CVE Numbering Authority (CNA). That seems like a bad idea, based on their track record of inaccurate and false claims of vulnerabilities, but CVE has been very clear that they don’t care about the accuracy of their data. The rules of their program do require that within 72 hours issuers must publish records once they disclosed CVE IDs:

4.5.1.3 CNAs SHOULD publish a CVE Record to the CVE List within 24 hours of Publicly Disclosing a CVE ID assigned by the CNA. CNAs MAY publish or update CVE Records as part of the CNA’s processes to manage Vulnerability advisories or other public information that references the CVE ID.

4.5.1.4 CNAs MUST publish a CVE Record to the CVE List within 72 hours of Publicly Disclosing a CVE ID assigned by the CNA. If the CNA does not publish within 72 hours, then the CNA’s Root MAY direct the appropriate CNA-LR to publish a CVE Record for the assigned CVE ID. Ownership of the CVE Record MAY be transferred. See also 4.2.1.2.

In a now deleted tweet on October 5, they publicly disclosed the CVE ID of a claimed vulnerability in Advanced Custom Fields. That would start the clock on publishing the record. But the argument might be that since the tweet was deleted, it doesn’t count. As we noticed when looking into another issue with this situation, Automattic’s WP Scan has an entry for the issue, which is listed as being publicly published on October 24:

That would mean that the CVE record should have been published on by October 27 and yet today it is still not filled in:

We would contact CVE about that, but they don’t seem to care about their rules or the accuracy of their information.

Related posts:

  1. Matt Mullenweg Is Now Claiming WordPress.org Provides “Access to WordPress-Related Software at No Charge,” While Trying to Charge for Access
  2. The Executive Directory of WordPress.org Is an Employee of Automattic

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.